User16619472878288144179 (Customer) asked a question.
We're using SAML identity providers in our Okta Tenant. We would like to log the raw SAML assertions during failure for trouble-shooting purposes. If the Okta errors are obscure/un-helpful, we'd be able to trouble-shoot the SAML problem by inspecting the raw SAML assertion (unless the problem occurred decrypting it, in which case this error would be stated).
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
Hi! An absolutely awesome tool I use for this is a browser plugin (I use Chrome, so I will share that link):
SAML Tracer
This will capture all the SAML traffic you are sending from your session, and it will pick up on assertions, etc. When say selecting a tile in Okta, look for the orange "SAML" lines in the logs and it gives you a nice, formatted output that is much easier to read.
I am sure there are additional tools out there, but I have been using this for awhile and it has been working rather well for my needs.
Thanks!
I'm familiar with this tool, and I agree that it's a good solution when a customer with issues can schedule time to run it during a support call.
Unfortunately, our operating environment is the following:
We're replacing our home-grown SAML endpoint with Okta. With our home-grown implementation we logged all unencrypted SAML assertions. We were able to trouble-shoot all sorts of problems with this telemetry, as well as demonstrate to clients errors in what they sent. We didn't just say "You did it wrong" - we could show them exactly what was wrong in an indisputable manner.
If Okta doesn't log unencrypted SAML assertions when there are problems, that's a pretty big 'gap' from our home-grown system.
we ca n use : Preview the SAML assertion generated from the information above under saml setting.
This allows you to create examples of valid SAML payloads. It doesn't allow you to view SAML payloads received by the Okta tenant (which is what I need when trouble-shooting a connectivity issue).
it can let you know what the assertion are during authentication with SAML for this user. it same as saml tracer when you login.
It can show me how to create SAML for a client. It can't show me the 'wrong' SAML a client may have sent. I often have to tell users what wrong information they sent in order for them to figure out what went wrong - "Oh, that looks like a SAML packet from our UAT environment instead of production - let me fix that".
@Mihai N. (Okta, Inc.) Is there any feature currently supported that would help to resolve @User16619472878288144179 (Customer) 's question? Thus far he has been referred to the "Preview the SAML Assertion" and the SAML Tracer plugin. Appreciate any feedback. Thanks in advance.
In case it is not supported, please be aware @User16619472878288144179 (Customer) that you can submit this as a feature request on Okta Ideas
Thanks!
Nothing beyond what was already mentioned. Would be great to have though.
Found this, might be worth an upvote:
https://ideas.okta.com/app/#/case/165828
Got it - never hurts to ask one of the experts! It certainly received my vote.
Thanks again
I have control of the front-end/back-end for my application, so I was able to use the following work-around: